PDPF Dumps PDPF Braindumps PDPF Real Questions PDPF Practice Test PDPF Actual Questions EXIN PDPF Privacy and Data Protection Foundation https://killexams.com/pass4sure/exam-detail/PDPF Question: 45 A written contract between a controller and a processor is called a data processing agreement. According to the GDPR, what does not have to be covered in the written contract? A . The contractor code of business ethics and conduct that is used. B . Which data are covered by the data processing agreement C . The information security and personal data breach procedures D . The technical and organizational measures implemented Answer: A Explanation: The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3)) The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority. The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take. Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract. Question: 46 How are the terms privacy and data protection related? A . Data protection is the right to privacy. B . The terms are synonymous. C . Privacy includes the right to the protection of personal data. Answer: C Question: 47 GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose. What principle is this? A . integrity and confidentiality B . purpose limitation C . data minimization D . lawfulness, loyalty and transparency Answer: C Explanation: In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes: Question: 48 “The controller shall implement appropriate technical and organizational measures for ensuring that (…) only personal data which are necessary for each specific purpose of the processing are processed.” Which term in the GDPR is defined here? A . Compliance B . Data protection by default and by design C . Embedded data protection Answer: B Explanation: Compliance. Incorrect. Compliance means meeting rules or standards. Data protection by design and by default. Correct. By default, the minimum of personal data is to be processed for the shortest possible period, using the best possible security measures to prevent unauthorized access. Data protection by design refers to processing that includes appropriate measures to implement data protection principles. (Literature: A, Chapter 8; GDPR Article 25) Embedded data protect. Incorrect. Embedded data protection is the result of data protection by design. Question: 49 A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose. The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to. How should the processor act on this situation and what should the controller do, if anything? A . The processor must notify the controller and the controller must notify the Data Protection Authority of a data breach. B . The processor must notify the controller of a data breach. The controller must assess the possible risk to the data subjects. C . The processor must notify the Data Protection Authority of a data breach. The controller must execute a PIA to assess the risk to data subjects. D . The processor must restart processing using the right data. There is no need for the controller to act. Answer: B Question: 50 While paying with a credit card, the card is skimmed (i.e. the data on the magnetic strip is stolen). The magnetic strip contains the account number, expiration date, cardholder’s name and address, PIN number and more. What kind of a data breach is this? A . Material B . Non-material C . Verbal Answer: B Question: 51 A personal data breach has occurred, and the controller is writing a draft notification for the supervisory authority. The following information is already in the notification: – The nature of the personal data breach and its possible consequences. – Information regarding the parties that can provide additional information about the data breach. What other information must the controller provide? A . Information of local and national authorities that were informed about the data breach. B . Name and contact details of the data subjects whose data may have been breached C . Suggested measures to mitigate the adverse consequences of the data breach. D . The information needed to access the personal data that have been breached. Answer: C Explanation: Information of local and national authorities that were informed about the data breach. Incorrect. The supervisory authority must be made aware of reports to supervisory authorities in other EEA countries. Reports to local authorities, for instance the police, do not need to be reported. Name and contact details of the data subjects whose data may have been breached. Incorrect. The supervisory authority requires an estimate of the number of data subjects involved, not their personal data. Suggested measures to mitigate the adverse consequences of the data breach. Correct. The controller should add suggested measures to mitigate the adverse consequences of the data breach. (Literature: A, Chapter 7; GDPR Article 33(q)) The information needed to access the personal data that have been breached. Incorrect. The supervisory authority needs to know the type of personal data involved, but does not need access to the data themselves. Question: 52 When does the GDPR require data subjects consent to a cookie? A . Always, because a cookie is regarded as online identifier B . Never, as the EU Cookie Law does not require explicit consent C . Only if the cookie contains authentication information of the data subject D . Only if the cookie contains shopping basket items Answer: A Explanation: Reference: https://eugdprcompliant.com/cookies-consent-gdpr/ Question: 53 According to the GDPR, for which situations should a Data Protection Impact Assessment (DPIA) be conducted? A . For all projects that include technologies or processes that require data protection B . For all sets of similar processing operations with comparable risks C . For any situation where technologies and processes will be subject to a risk assessment D . For technologies and processes that are likely to result in a high risk to the rights of data subjects Answer: A Explanation: Reference: https://eugdprcompliant.com/dpia-guidelines/ Question: 54 A controller discovers that a data subject, who had given consent for the processing of his data, has passed away. What this implies for data processing according to the General Data Protection Regulation (GDPR)? A . With the death of the data owner, the controller can continue processing the data, as they are no longer under the GDP C . The data can only be processed by the controller respecting the consent provided by the holder. D . The controller must delete the data of the holder, since with the death of the holder the consent is automatically revoked. E . The controller can process the data of a deceased person as long as it anonymizes the data. Answer: A Explanation: With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR. Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons. Question: 55 What is the role of the one assigned the responsibility to govern the purposes and means of processing personal data within an organization, according to the GDPR? A . Controller B . Data Protection Officer C . Data Subject D . Processor Answer: A Explanation: Reference: https://www.i-scoop.eu/gdpr/data-controller-data-controller-duties/ 6$03/( 48(67,216 7KHVH TXHVWLRQV DUH IRU GHPR SXUSRVH RQO\ )XOO YHUVLRQ LV XS WR GDWH DQG FRQWDLQV DFWXDO TXHVWLRQV DQG DQVZHUV .LOOH[DPV FRP LV DQ RQOLQH SODWIRUP WKDW RIIHUV D ZLGH UDQJH RI VHUYLFHV UHODWHG WR FHUWLILFDWLRQ H[DP SUHSDUDWLRQ 7KH SODWIRUP SURYLGHV DFWXDO TXHVWLRQV H[DP GXPSV DQG SUDFWLFH WHVWV WR KHOS LQGLYLGXDOV SUHSDUH IRU YDULRXV FHUWLILFDWLRQ H[DPV ZLWK FRQILGHQFH +HUH DUH VRPH NH\ IHDWXUHV DQG VHUYLFHV RIIHUHG E\ .LOOH[DPV FRP $FWXDO ([DP 4XHVWLRQV .LOOH[DPV FRP SURYLGHV DFWXDO H[DP TXHVWLRQV WKDW DUH H[SHULHQFHG LQ WHVW FHQWHUV 7KHVH TXHVWLRQV DUH XSGDWHG UHJXODUO\ WR HQVXUH WKH\ DUH XS WR GDWH DQG UHOHYDQW WR WKH ODWHVW H[DP V\OODEXV %\ VWXG\LQJ WKHVH DFWXDO TXHVWLRQV FDQGLGDWHV FDQ IDPLOLDUL]H WKHPVHOYHV ZLWK WKH FRQWHQW DQG IRUPDW RI WKH UHDO H[DP ([DP 'XPSV .LOOH[DPV FRP RIIHUV H[DP GXPSV LQ 3') IRUPDW 7KHVH GXPSV FRQWDLQ D FRPSUHKHQVLYH FROOHFWLRQ RI TXHVWLRQV DQG DQVZHUV WKDW FRYHU WKH H[DP WRSLFV %\ XVLQJ WKHVH GXPSV FDQGLGDWHV FDQ HQKDQFH WKHLU NQRZOHGJH DQG LPSURYH WKHLU FKDQFHV RI VXFFHVV LQ WKH FHUWLILFDWLRQ H[DP 3UDFWLFH 7HVWV .LOOH[DPV FRP SURYLGHV SUDFWLFH WHVWV WKURXJK WKHLU GHVNWRS 9&( H[DP VLPXODWRU DQG RQOLQH WHVW HQJLQH 7KHVH SUDFWLFH WHVWV VLPXODWH WKH UHDO H[DP HQYLURQPHQW DQG KHOS FDQGLGDWHV DVVHVV WKHLU UHDGLQHVV IRU WKH DFWXDO H[DP 7KH SUDFWLFH WHVWV FRYHU D ZLGH UDQJH RI TXHVWLRQV DQG HQDEOH FDQGLGDWHV WR LGHQWLI\ WKHLU VWUHQJWKV DQG ZHDNQHVVHV *XDUDQWHHG 6XFFHVV .LOOH[DPV FRP RIIHUV D VXFFHVV JXDUDQWHH ZLWK WKHLU H[DP GXPSV 7KH\ FODLP WKDW E\ XVLQJ WKHLU PDWHULDOV FDQGLGDWHV ZLOO SDVV WKHLU H[DPV RQ WKH ILUVW DWWHPSW RU WKH\ ZLOO UHIXQG WKH SXUFKDVH SULFH 7KLV JXDUDQWHH SURYLGHV DVVXUDQFH DQG FRQILGHQFH WR LQGLYLGXDOV SUHSDULQJ IRU FHUWLILFDWLRQ H[DPV 8SGDWHG &RQWHQW .LOOH[DPV FRP UHJXODUO\ XSGDWHV LWV TXHVWLRQ EDQN DQG H[DP GXPSV WR HQVXUH WKDW WKH\ DUH FXUUHQW DQG UHIOHFW WKH ODWHVW FKDQJHV LQ WKH H[DP V\OODEXV 7KLV KHOSV FDQGLGDWHV VWD\ XS WR GDWH ZLWK WKH H[DP FRQWHQW DQG LQFUHDVHV WKHLU FKDQFHV RI VXFFHVV 7HFKQLFDO 6XSSRUW .LOOH[DPV FRP SURYLGHV IUHH [ WHFKQLFDO VXSSRUW WR DVVLVW FDQGLGDWHV ZLWK DQ\ TXHULHV RU LVVXHV WKH\ PD\ HQFRXQWHU ZKLOH XVLQJ WKHLU VHUYLFHV 7KHLU FHUWLILHG H[SHUWV DUH DYDLODEOH WR SURYLGH JXLGDQFH DQG KHOS FDQGLGDWHV WKURXJKRXW WKHLU H[DP SUHSDUDWLRQ MRXUQH\ 'PS .PSF FYBNT WJTJU IUUQT LJMMFYBNT DPN WFOEPST FYBN MJTU .LOO \RXU H[DP DW )LUVW $WWHPSW *XDUDQWHHG